Guest DanG Posted July 24, 2007 Posted July 24, 2007 I had a message pop up today from Window Defender, indicating that I had a "Win32/Virtumonde.O" trojan on my PC. I had WD remove the virus, and restarted as required. A few minutes later, the message popped up again. I have tried everything I can think of, including running WD in Safe Mode, but the virus keeps coming back. It seems that WD says it's been successfully removed, but it really isn't. I've downloaded SpywareBot and Ad-Aware, but neither found my bug. When I run the Symantec program specifically intended to remove Adware.Virtumonde, it doesn't find anything. Neither does Avast. Perhaps Adware.VirtuMonde and Win32/VirtuMonde are not the same thing. Any clues on what else I can try? Quote
Guest Malke Posted July 24, 2007 Posted July 24, 2007 DanG wrote: > I had a message pop up today from Window Defender, indicating that I > had a "Win32/Virtumonde.O" trojan on my PC. I had WD remove the > virus, and restarted as required. A few minutes later, the message > popped up again. I have tried everything I can think of, including > running WD in Safe Mode, but the virus keeps coming back. It seems > that WD says it's been successfully removed, but it really isn't. > > I've downloaded SpywareBot and Ad-Aware, but neither found my bug. > When I run the Symantec program specifically intended to remove > Adware.Virtumonde, it doesn't find anything. Neither does Avast. > Perhaps Adware.VirtuMonde and Win32/VirtuMonde are not the same thing. > > Any clues on what else I can try? > Go through the preparatory steps here: http://www.elephantboycomputers.com/page2.html#Removing_Malware Include scanning with David Lipman's Multi_AV and follow instructions to do all scans in Safe Mode. Please see the special Notes regarding using Multi_AV in Vista. http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions http://pcdid.com/Multi_AV.htm - download Then do the specific removal steps here: http://www.elephantboycomputers.com/page2.html#Winfixer You can also check to see if there are targeted removal steps for your malware here: Bleeping Computer removal how-to's - http://www.bleepingcomputer.com/forums/forum55.html When all else fails, run HijackThis and post your log in one of the specialty forums listed at the first link above (not here, please). Not all tools used will work in Vista and you will need to run them elevated. Since Vista is so new, it will be a while before removal techniques and tools are developed. If you are unable to remove the infection by following the general steps, register at one of the HijackThis forums as suggested. Standard caveat: If the procedures look too complex - and there is no shame in admitting this isn't your cup of tea - take the machine to a professional computer repair shop (not your local version of BigComputerStore/GeekSquad). Please be aware that not all local shops are skilled at removing malware and even if they are, your computer may be so infested that Windows will need to be clean-installed. Have all your data backed up before you take the machine into a shop. Malke -- Elephant Boy Computers http://www.elephantboycomputers.com "Don't Panic!" MS-MVP Windows - Shell/User Quote
Guest Ron H Posted July 24, 2007 Posted July 24, 2007 Did you install Spybot or Spywarebot ? "Malke" wrote: > DanG wrote: > > I had a message pop up today from Window Defender, indicating that I > > had a "Win32/Virtumonde.O" trojan on my PC. I had WD remove the > > virus, and restarted as required. A few minutes later, the message > > popped up again. I have tried everything I can think of, including > > running WD in Safe Mode, but the virus keeps coming back. It seems > > that WD says it's been successfully removed, but it really isn't. > > > > I've downloaded SpywareBot and Ad-Aware, but neither found my bug. > > When I run the Symantec program specifically intended to remove > > Adware.Virtumonde, it doesn't find anything. Neither does Avast. > > Perhaps Adware.VirtuMonde and Win32/VirtuMonde are not the same thing. > > > > Any clues on what else I can try? > > > > Go through the preparatory steps here: > http://www.elephantboycomputers.com/page2.html#Removing_Malware > > Include scanning with David Lipman's Multi_AV and follow instructions to > do all scans in Safe Mode. Please see the special Notes regarding using > Multi_AV in Vista. > > http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions > http://pcdid.com/Multi_AV.htm - download > > Then do the specific removal steps here: > http://www.elephantboycomputers.com/page2.html#Winfixer > > You can also check to see if there are targeted removal steps for your > malware here: > Bleeping Computer removal how-to's - > http://www.bleepingcomputer.com/forums/forum55.html > > When all else fails, run HijackThis and post your log in one of the > specialty forums listed at the first link above (not here, please). > > Not all tools used will work in Vista and you will need to run them > elevated. Since Vista is so new, it will be a while before removal > techniques and tools are developed. If you are unable to remove the > infection by following the general steps, register at one of the > HijackThis forums as suggested. > > Standard caveat: If the procedures look too complex - and there is no > shame in admitting this isn't your cup of tea - take the machine to a > professional computer repair shop (not your local version of > BigComputerStore/GeekSquad). Please be aware that not all local shops > are skilled at removing malware and even if they are, your computer may > be so infested that Windows will need to be clean-installed. Have all > your data backed up before you take the machine into a shop. > > > Malke > -- > Elephant Boy Computers > http://www.elephantboycomputers.com > "Don't Panic!" > MS-MVP Windows - Shell/User > Quote
Guest David H. Lipman Posted July 24, 2007 Posted July 24, 2007 From: "DanG" <dang@rmci.net> | I had a message pop up today from Window Defender, indicating that I | had a "Win32/Virtumonde.O" trojan on my PC. I had WD remove the | virus, and restarted as required. A few minutes later, the message | popped up again. I have tried everything I can think of, including | running WD in Safe Mode, but the virus keeps coming back. It seems | that WD says it's been successfully removed, but it really isn't. | | I've downloaded SpywareBot and Ad-Aware, but neither found my bug. | When I run the Symantec program specifically intended to remove | Adware.Virtumonde, it doesn't find anything. Neither does Avast. | Perhaps Adware.VirtuMonde and Win32/VirtuMonde are not the same thing. | | Any clues on what else I can try? Two phase answer... Perform Part 1 then perform Part 2 If the first two parts don't work, perform the alternate utility. It is suggested that you execute each tool in Normal Mode then in Safe Mode. If you are using any version of Sun Java that is prior to JRE Version 6.0, then you are strongly urged to remove any/all versions. There are numerous vulnerabilities in them and they are actively being exploited. It is highly suggested that you update to the latest version which is Sun Java JRE/JSE Version 6.0 update 2 (jre 6u2) Simple check, look under... C:\Program Files\Java The only folder under that folder should be the latest version. Such as... C:\Program Files\Java\jre1.6.0_02 http://java.sun.com/javase/downloads/index.jsp http://www.java.com/en/download/manual.jsp FYI: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1 http://sunsolve.sun.com/search/document.do?assetkey=1-26-102622-1 http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1 http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1 http://sunsolve.sun.com/search/document.do?assetkey=1-26-102732-1 http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1 Part 1 ------------ Download Adware-Virtumundo Removal Tool -- http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe Information on the Adware-Virtumundo Removal Tool: http://forums.mcafeehelp.com/viewtopic.php?t=57049 Part 2 ------------ Download Atribune's VUNDOFIX.EXE http://www.atribune.org/ccount/click.php?id=4 Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there. * * * Please report back your results * * * -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm Quote
Guest Milo (MSPSS) Posted July 25, 2007 Posted July 25, 2007 Windows Defender has a different signature when it comes to detecting vundo / virtuMonde, the possible detection may conclude if a part, the loader or the dropper of vundo is just about to start - the reasons why its only defender who may report such for it doesnt only rely on the end product ( when and if vundo is already widespread in the system ) Please follow the steps above as posted by malke and david. And please advice us for any development along the way. Also are you recieving ad marketing windows multiple prompts or so experiencing slowdon on start-up or loading windows? -- Milo MSPSS "DanG" wrote: > I had a message pop up today from Window Defender, indicating that I > had a "Win32/Virtumonde.O" trojan on my PC. I had WD remove the > virus, and restarted as required. A few minutes later, the message > popped up again. I have tried everything I can think of, including > running WD in Safe Mode, but the virus keeps coming back. It seems > that WD says it's been successfully removed, but it really isn't. > > I've downloaded SpywareBot and Ad-Aware, but neither found my bug. > When I run the Symantec program specifically intended to remove > Adware.Virtumonde, it doesn't find anything. Neither does Avast. > Perhaps Adware.VirtuMonde and Win32/VirtuMonde are not the same thing. > > Any clues on what else I can try? > > Quote
Guest DanG Posted July 25, 2007 Posted July 25, 2007 Malke: Sorry, I was never able to read your message. I see your name in the tree, but no text. Seems like Milo was able to see it, so it must be something on my end. (shrug) Ron: I tried both SpyBot and SpywareBot. Both found some adware, but not the VirtuMonde.O I needed to kill. Milo: Yes, I have been seeing lots of windows prompts, many from sites I never heard of, telling me that I have a virus, and that I must download their software immediately. I do not. Also, I have not seen any general slowdown of the machine. David: I did have JRE1.4, which I uninstalled and put on JRE1.6. The VirtumundoBeGone, which I ran first, seems to have done the trick. VundoFix was next, but it did not find it. I then reran both in Safe Mode, and both came up empty, I then ran the WD scan again, and it also came up empty. (whew!) Another note... I use Avast as my virus blocker, and it was the first to tell me that a virus was inbound. I told it to delete the virus, and it said it was unable to do so because the file was locked. A few minutes later, Windows Defender popped up its message. By then, the virus was already embedded on the machine. I find it interesting that both packages saw it, and could do nothing about it. Much thanks to all of you. Da Quote
Guest Milo (MSPSS) Posted July 25, 2007 Posted July 25, 2007 By any chance Windows Defender indicated the location of the said file tagged as vundo? 1. Go to start > run type %temp% ( folder would appear delete all entries that can be deleted ) type temp ( same ) type prefetch ( same ) 2. Go to control Panel > locate an icon named System left click System Properties console would appear and go to System Restore tab put a check on "Turn off System Restore", apply and ok restart the computer scan again. Should the process be successfull uncheck the "Turn off System Restore" box to avail of the restore point feature of windows, this time its no longer tainted by the said strands of infecton. -- Milo MSPSS "DanG" wrote: > Malke: Sorry, I was never able to read your message. I see your name > in the tree, but no text. Seems like Milo was able to see it, so it > must be something on my end. (shrug) > > Ron: I tried both SpyBot and SpywareBot. Both found some adware, but > not the VirtuMonde.O I needed to kill. > > Milo: Yes, I have been seeing lots of windows prompts, many from sites > I never heard of, telling me that I have a virus, and that I must > download their software immediately. I do not. Also, I have not seen > any general slowdown of the machine. > > David: I did have JRE1.4, which I uninstalled and put on JRE1.6. The > VirtumundoBeGone, which I ran first, seems to have done the trick. > VundoFix was next, but it did not find it. I then reran both in Safe > Mode, and both came up empty, I then ran the WD scan again, and it > also came up empty. (whew!) > > Another note... I use Avast as my virus blocker, and it was the first > to tell me that a virus was inbound. I told it to delete the virus, > and it said it was unable to do so because the file was locked. A few > minutes later, Windows Defender popped up its message. By then, the > virus was already embedded on the machine. I find it interesting that > both packages saw it, and could do nothing about it. > > Much thanks to all of you. > Da > > Quote
Guest Ron H Posted July 25, 2007 Posted July 25, 2007 DanG, Also now you have to get rid of Spywarebot it's on the list of rogue spyware products that goad ( tells you that you have something when you really don't) to make you purchase. Also is spyware itself http://spywarewarrior.com/rogue_anti-spyware.htm ..htmlhttp://www.ntcompatible.com/have_you_seen_this_new_threat_yet_spywarebot_t34627 http://www.2-spyware.com/review-spywarebot.html "DanG" wrote: > I had a message pop up today from Window Defender, indicating that I > had a "Win32/Virtumonde.O" trojan on my PC. I had WD remove the > virus, and restarted as required. A few minutes later, the message > popped up again. I have tried everything I can think of, including > running WD in Safe Mode, but the virus keeps coming back. It seems > that WD says it's been successfully removed, but it really isn't. > > I've downloaded SpywareBot and Ad-Aware, but neither found my bug. > When I run the Symantec program specifically intended to remove > Adware.Virtumonde, it doesn't find anything. Neither does Avast. > Perhaps Adware.VirtuMonde and Win32/VirtuMonde are not the same thing. > > Any clues on what else I can try? > > Quote
Guest Ron H Posted July 25, 2007 Posted July 25, 2007 DanG, One of those links doesn't work here it is again : http://www.ntcompatible.com/have_you_seen_this_new_threat_yet_spywarebot_t34627.html "Ron H" wrote: > DanG, Also now you have to get rid of Spywarebot it's on the list of rogue > spyware products that goad ( tells you that you have something when you > really don't) to make you purchase. Also is spyware itself > http://spywarewarrior.com/rogue_anti-spyware.htm > > .htmlhttp://www.ntcompatible.com/have_you_seen_this_new_threat_yet_spywarebot_t34627 > http://www.2-spyware.com/review-spywarebot.html > > "DanG" wrote: > > > I had a message pop up today from Window Defender, indicating that I > > had a "Win32/Virtumonde.O" trojan on my PC. I had WD remove the > > virus, and restarted as required. A few minutes later, the message > > popped up again. I have tried everything I can think of, including > > running WD in Safe Mode, but the virus keeps coming back. It seems > > that WD says it's been successfully removed, but it really isn't. > > > > I've downloaded SpywareBot and Ad-Aware, but neither found my bug. > > When I run the Symantec program specifically intended to remove > > Adware.Virtumonde, it doesn't find anything. Neither does Avast. > > Perhaps Adware.VirtuMonde and Win32/VirtuMonde are not the same thing. > > > > Any clues on what else I can try? > > > > Quote
Guest DanG Posted July 25, 2007 Posted July 25, 2007 Yes, I ran SpyBot-S&D last night, and saw that SpywareBot was listed. There was another one, too, that I downloaded from either BleepingComputer or HijackThis (I forget which) that also set off Avast warnings. Dan ~On a clear disk, you can seek forever ~ Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.